chore(deps): update github actions monthly minor/patch

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/attest-build-provenance	action	minor	v2.2.3 -> v2.3.0
anchore/sbom-action	action	minor	v0.18.0 -> v0.19.0
docker/build-push-action	action	minor	v6.15.0 -> v6.16.0
github/codeql-action	action	patch	v3.28.13 -> v3.28.16
softprops/action-gh-release	action	patch	v2.2.1 -> v2.2.2

---

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v2.3.0

Compare Source

What's Changed

• Bump actions/attest from 2.2.1 to 2.3.0 by @​bdehamer in https://github.com/actions/attest-build-provenance/pull/615
  • Updates @sigstore/oci from 0.4.0 to 0.5.0

Full Changelog: actions/attest-build-provenance@v2.2.3...v2.3.0

anchore/sbom-action (anchore/sbom-action)

v0.19.0

Compare Source

Changes in v0.19.0

• chore(deps): update Syft to v1.23.0 (#​521)
• chore(deps): bump peter-evans/create-pull-request from 7.0.6 to 7.0.8 (#​519)
• chore(deps): bump cross-spawn (#​514)

docker/build-push-action (docker/build-push-action)

v6.16.0

Compare Source

• Handle no default attestations env var by @​crazy-max in https://github.com/docker/build-push-action/pull/1343
• Only print secret keys in build summary output by @​crazy-max in https://github.com/docker/build-push-action/pull/1353
• Bump @​docker/actions-toolkit from 0.56.0 to 0.59.0 in https://github.com/docker/build-push-action/pull/1352

Full Changelog: docker/build-push-action@v6.15.0...v6.16.0

github/codeql-action (github/codeql-action)

v3.28.16

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.16 - 23 Apr 2025

• Update default CodeQL bundle version to 2.21.1. #​2863

See the full CHANGELOG.md for more information.

v3.28.15

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.15 - 07 Apr 2025

• Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #​2842

See the full CHANGELOG.md for more information.

v3.28.14

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.14 - 07 Apr 2025

• Update default CodeQL bundle version to 2.21.0. #​2838

See the full CHANGELOG.md for more information.

softprops/action-gh-release (softprops/action-gh-release)

v2.2.2

Compare Source

What's Changed

Bug fixes 🐛

• fix: updating release draft status from true to false by @​galargh in https://github.com/softprops/action-gh-release/pull/316

Other Changes 🔄

• chore: simplify ref_type test by @​steinybot in https://github.com/softprops/action-gh-release/pull/598
• fix(docs): clarify the default for tag_name by @​muzimuzhi in https://github.com/softprops/action-gh-release/pull/599
• test(release): add unit tests when searching for a release by @​rwaskiewicz in https://github.com/softprops/action-gh-release/pull/603
• dependency updates

New Contributors

• @​steinybot made their first contribution in https://github.com/softprops/action-gh-release/pull/598
• @​muzimuzhi made their first contribution in https://github.com/softprops/action-gh-release/pull/599
• @​galargh made their first contribution in https://github.com/softprops/action-gh-release/pull/316
• @​rwaskiewicz made their first contribution in https://github.com/softprops/action-gh-release/pull/603

Full Changelog: softprops/action-gh-release@v2...v2.2.2

---

Configuration

📅 Schedule: Branch creation - "on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/attest-build-provenance	db473fddc028af60658334401dc6fa3ffd8669fd	Unknown	Unknown
actions/anchore/sbom-action	9f7302141466aa6482940f15371237e9d9f4c34a	🟢 4.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 11 existing vulnerabilities detected
actions/docker/build-push-action	14487ce63c7a62a4a324b0bfb37086795e31c6c1	🟢 5.8	Details Check Score Reason Maintained 🟢 10 28 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 7 Found 6/8 approved changesets -- score normalized to 7 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/softprops/action-gh-release	da05d552573ad5aba039eaac05058a918a7bf631	🟢 5.2	Details Check Score Reason Maintained 🟢 10 19 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 5 Found 7/12 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 7 3 existing vulnerabilities detected
actions/actions/attest-build-provenance	db473fddc028af60658334401dc6fa3ffd8669fd	Unknown	Unknown
actions/anchore/sbom-action	9f7302141466aa6482940f15371237e9d9f4c34a	🟢 4.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 11 existing vulnerabilities detected
actions/docker/build-push-action	14487ce63c7a62a4a324b0bfb37086795e31c6c1	🟢 5.8	Details Check Score Reason Maintained 🟢 10 28 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 7 Found 6/8 approved changesets -- score normalized to 7 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/softprops/action-gh-release	da05d552573ad5aba039eaac05058a918a7bf631	🟢 5.2	Details Check Score Reason Maintained 🟢 10 19 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 5 Found 7/12 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 7 3 existing vulnerabilities detected
actions/actions/attest-build-provenance	db473fddc028af60658334401dc6fa3ffd8669fd	Unknown	Unknown
actions/anchore/sbom-action	9f7302141466aa6482940f15371237e9d9f4c34a	🟢 4.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 11 existing vulnerabilities detected
actions/docker/build-push-action	14487ce63c7a62a4a324b0bfb37086795e31c6c1	🟢 5.8	Details Check Score Reason Maintained 🟢 10 28 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 7 Found 6/8 approved changesets -- score normalized to 7 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/softprops/action-gh-release	da05d552573ad5aba039eaac05058a918a7bf631	🟢 5.2	Details Check Score Reason Maintained 🟢 10 19 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 5 Found 7/12 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 7 3 existing vulnerabilities detected
actions/actions/attest-build-provenance	db473fddc028af60658334401dc6fa3ffd8669fd	Unknown	Unknown
actions/anchore/sbom-action	9f7302141466aa6482940f15371237e9d9f4c34a	🟢 4.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 11 existing vulnerabilities detected
actions/docker/build-push-action	14487ce63c7a62a4a324b0bfb37086795e31c6c1	🟢 5.8	Details Check Score Reason Maintained 🟢 10 28 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 7 Found 6/8 approved changesets -- score normalized to 7 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/softprops/action-gh-release	da05d552573ad5aba039eaac05058a918a7bf631	🟢 5.2	Details Check Score Reason Maintained 🟢 10 19 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 5 Found 7/12 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 7 3 existing vulnerabilities detected
actions/actions/attest-build-provenance	db473fddc028af60658334401dc6fa3ffd8669fd	Unknown	Unknown
actions/anchore/sbom-action	9f7302141466aa6482940f15371237e9d9f4c34a	🟢 4.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 11 existing vulnerabilities detected
actions/docker/build-push-action	14487ce63c7a62a4a324b0bfb37086795e31c6c1	🟢 5.8	Details Check Score Reason Maintained 🟢 10 28 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 7 Found 6/8 approved changesets -- score normalized to 7 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/softprops/action-gh-release	da05d552573ad5aba039eaac05058a918a7bf631	🟢 5.2	Details Check Score Reason Maintained 🟢 10 19 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 5 Found 7/12 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 7 3 existing vulnerabilities detected
actions/actions/attest-build-provenance	db473fddc028af60658334401dc6fa3ffd8669fd	Unknown	Unknown
actions/anchore/sbom-action	9f7302141466aa6482940f15371237e9d9f4c34a	🟢 4.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 11 existing vulnerabilities detected
actions/docker/build-push-action	14487ce63c7a62a4a324b0bfb37086795e31c6c1	🟢 5.8	Details Check Score Reason Maintained 🟢 10 28 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 7 Found 6/8 approved changesets -- score normalized to 7 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/softprops/action-gh-release	da05d552573ad5aba039eaac05058a918a7bf631	🟢 5.2	Details Check Score Reason Maintained 🟢 10 19 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 5 Found 7/12 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 7 3 existing vulnerabilities detected
actions/actions/attest-build-provenance	db473fddc028af60658334401dc6fa3ffd8669fd	Unknown	Unknown
actions/anchore/sbom-action	9f7302141466aa6482940f15371237e9d9f4c34a	🟢 4.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 11 existing vulnerabilities detected
actions/docker/build-push-action	14487ce63c7a62a4a324b0bfb37086795e31c6c1	🟢 5.8	Details Check Score Reason Maintained 🟢 10 28 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 7 Found 6/8 approved changesets -- score normalized to 7 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/softprops/action-gh-release	da05d552573ad5aba039eaac05058a918a7bf631	🟢 5.2	Details Check Score Reason Maintained 🟢 10 19 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 5 Found 7/12 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 7 3 existing vulnerabilities detected
actions/actions/attest-build-provenance	db473fddc028af60658334401dc6fa3ffd8669fd	Unknown	Unknown
actions/anchore/sbom-action	9f7302141466aa6482940f15371237e9d9f4c34a	🟢 4.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 11 existing vulnerabilities detected
actions/docker/build-push-action	14487ce63c7a62a4a324b0bfb37086795e31c6c1	🟢 5.8	Details Check Score Reason Maintained 🟢 10 28 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 7 Found 6/8 approved changesets -- score normalized to 7 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/softprops/action-gh-release	da05d552573ad5aba039eaac05058a918a7bf631	🟢 5.2	Details Check Score Reason Maintained 🟢 10 19 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 5 Found 7/12 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 7 3 existing vulnerabilities detected
actions/github/codeql-action/upload-sarif	28deaeda66b76a05916b6923827895f2b14ab387	Unknown	Unknown

Scanned Files

• .github/workflows/athenapdf-service-image.yaml
• .github/workflows/database-tools-image.yaml
• .github/workflows/docker-host-image.yaml
• .github/workflows/drush-alias-image.yaml
• .github/workflows/insights-scanner-image.yaml
• .github/workflows/insights-trivy-image.yaml
• .github/workflows/logs-concentrator-image.yaml
• .github/workflows/logs-dispatcher-image.yaml
• .github/workflows/ossf-analysis.yaml